Is cyber insurance a regulatory requirement for firms? What type of business would benefit from cyber insurance? What does cyber insurance cover? We’ll answer these questions here and look at how insurance can mitigate cyber risks.
Cyber insurance is not usually a regulatory requirement in the same way that professional indemnity insurance (PII) is mandatory for some firms that offer professional advice as part of their service. However, given that a cyber insurance policy offers resilience in recovering from a cyberattack, it is expected that more and more regulators will require firms to have cyber insurance in place. And even for firms where regulations don’t apply, it is highly advisable to have cyber insurance and observe good cyber hygiene to mitigate the growing threat from cybercrime.
Cyber risk is a concern for every company, from start-ups to global brands, and the more businesses move online and rely on technology, the greater the vulnerabilities and the risk of a cyber incident. This was highlighted by Forbes in Cyberattacks 2022: key observations and takeaways, which describes how digital transformation is “significantly expanding the cyberattack surface and the number of critical failure points”.
Insurance should be part of an overall strategy to limit the damage from a cyberattack when security countermeasures fail, but cyber risks are not normally covered in standard commercial and general insurance policies, so it is important to consider cyber exposure as part of a wider risk analysis.
Ransomware on the rise
Ransomware is malicious software that disables computer systems until a sum of money (the ransom) is paid. Although it is hardly new, the frequency and sophistication of attacks have been increasing over the last three years, and IBM predicts that attacks will spike in 2023. If a system is breached, whether through ransomware or another type of cyberattack, such as hacking or phishing, there is a risk to:
• Data privacy
• IT infrastructure and operations
• Information governance
Resilience and recovery
Having a comprehensive cyber insurance policy will help to protect a company from financial and reputational damage and allow it to recover more quickly if cyber risks materialise. There are three main areas of cover in cyber insurance:
• Event Management
This involves the incident response expenses of an investigation by third parties to establish the extent of the breach; consultation on how to manage legal and regulatory issues; notification management via a crisis communication strategy; the establishment of a call centre to field queries; and the provision of credit monitoring.
• Financial Loss
Coverge for the loss of profits and increased costs of working during an interruption, along with the ransomware cost to manage an incident and the ransom it-self. Some policies also cover theft of funds by computer crime.
• Third-party liability – this covers your liability from a third party’s loss. For example, for a failure to protect third-party data, or third parties seeking compensation for financial losses from hacking or virus transfer from your network. Cyber insurance can provide defence costs and any resulting damages from multi-jurisdictional claims, and in some cases insurable fines from regulators and the PCI.
Protection before a claim
Elmore has partnered with cyber security firm Asceris to demonstrate how best practice and better controls can prevent cyber events and avoid insurance claims.
When you approach Elmore for a quote, you will gain an understanding of the strengths and weaknesses of your business’s current systems. We will identify vulnerabilities and advise on how to improve security. From risk assessment and finding the most appropriate cover for your needs, to smooth claims handling and resolution, we provide a comprehensive service for cyber insurance.
Best practice and better controls
Talk to us now and find out how we can protect your business and your customers.
Written by Charlie Sorby – Junior Client Executive.